Network Overview

Home lab network infrastructure.

Network Details

Property	Value
Subnet	192.168.1.0/24
Gateway	192.168.1.1
DNS	192.168.1.50 (Pi-hole + Unbound recursive)
Router	ASUS RT-AX82U

---

🖥️ Hosts (Verified 2026-02-02)

IP	Hostname	Type	Purpose	Ports
192.168.1.1	Gateway	Router	ASUS RT-AX82U	—
192.168.1.10	npm	LXC	Nginx Proxy Manager (OpenResty)	22, 80, 81, 443
192.168.1.16	clawdbot	LXC	Old Clawdbot/SOTCD container	22
192.168.1.20	docker1	LXC	Docker stack (Portainer, Uptime Kuma, Vaultwarden)	22, 8080
192.168.1.50	pihole	LXC	Pi-hole DNS + ad blocking	22, 53, 80, 443
192.168.1.60	wireguard	LXC	WireGuard VPN Server	22, 51821/UDP
192.168.1.144	proxmox	Bare metal	Proxmox VE Hypervisor	22, 8006
192.168.1.156	pop-os	Bare metal	Main workstation	22, 3030, 8000, 8081, 32400
192.168.1.214	ShadowMaster	Windows	DJ Bot / Stream PC	22, 8080

---

💾 Storage Allocations

Path	Purpose	Size
/mnt/storage/knowledge-rag/chroma_db	ChromaDB vector store	16GB+ (growing)
/mnt/storage/books_organized	Book corpus for RAG	~500GB
/mnt/storage/QB_kruse_pateron	Quantum Biology corpus	TBD

ChromaDB migrated 2026-02-02 from root drive to prevent exhaustion

---

🐳 Docker Services

pop-os (192.168.1.156) - Local Workstation

Container	Port	Purpose
plex	32400	Media server
paperless	8000	Document management
stirling-pdf	8081	PDF tools
paperless-redis	6379 (internal)	Redis for Paperless
ollama	11434 (localhost)	Local LLM inference

docker1 (192.168.1.20)

Container	Port	Purpose
Portainer	8080	Docker management
Uptime Kuma	TBD	Status monitoring
Vaultwarden	TBD	Password manager

---

🔐 VPN Configuration

NordVPN (pop-os Local) - WORKING CONFIG (2026-02-03)

Setting	Value	Notes
Technology	NordLynx (WireGuard)
Routing	enabled	✅ Works with proper allowlists
Firewall	enabled	Required by Kill Switch
Kill Switch	enabled
DNS	192.168.1.1	Router/Pi-hole
LAN Discovery	disabled	Must be OFF to use subnet allowlists

Allowlisted Subnets:

192.168.1.0/24   # LAN + Pi-hole
172.17.0.0/16    # Docker bridge
172.18.0.0/16    # Docker bridge  
172.19.0.0/16    # Docker bridge
127.0.0.0/8      # Localhost

Allowlisted Ports:

53/UDP       # DNS (Pi-hole)
3030/UDP+TCP # Quartz (NPM proxy)
8096/UDP+TCP # Jellyfin

Pi-hole Whitelist (REQUIRED):

api.telegram.org
telegram.org
api.anthropic.com
anthropic.com

✅ Fixed 2026-02-02: VPN routing works when Pi-hole has API domains whitelisted and NordVPN has LAN/Docker subnets allowlisted. LAN Discovery must be OFF to use subnet allowlists.

WireGuard Server (192.168.1.60)

Property	Value
Port	51821/UDP (custom, default+1)
Router forward	51821/UDP → 192.168.1.60:51821

---

🌍 Domain & DNS

Domain Assets

Domain	Registrar	Purpose	Status
shdwnet.org	Porkbun	The Signal from SOTCD project	✅ VPS only
shdwnet.cloud	Porkbun	Infrastructure + reverse proxy services	✅ Live

GitHub Repos

Repo	Purpose	Deployment
red40mademedoit/shdwnet.org	The Signal source	VPS (manual)
red40mademedoit/notes.shdwnet.org	Quartz notes source	Local PM2 (version control only)

✅ Migration Complete (2026-02-03)

All reverse proxies migrated from shdwnet.org → shdwnet.cloud. Both domains operational.

Domain	Purpose
shdwnet.org	The Signal from SOTCD (VPS only)
notes.shdwnet.cloud	Quartz/Obsidian notes (local PM2 + NPM)
*.shdwnet.cloud	All reverse proxy services

Cleanup performed 2026-02-03:

• ❌ Deleted Cloudflare Pages project notes-shdwnet-org (was deploying to wrong domain)
• ❌ Disabled GitHub Pages on red40mademedoit/shdwnet.org repo (placeholder no longer needed)
• ✅ Notes now served locally: PM2 (npx quartz build --serve) → NPM → notes.shdwnet.cloud
• ✅ Port 3030 added to NordVPN allowlist for NPM→Quartz connectivity

Internal DNS (Pi-hole v6) - Split-Horizon Setup

See Split-Horizon DNS Guide for full details.

Hostname	IP	Notes
pi.hole	192.168.1.50	Pi-hole admin
shdwnet.cloud	192.168.1.10	→ NPM (root)
notes.shdwnet.cloud	192.168.1.10	→ NPM → Quartz (PM2 :3030)
plex.shdwnet.cloud	192.168.1.10	→ NPM → Plex
vault.shdwnet.cloud	192.168.1.10	→ NPM → Vaultwarden
uptime.shdwnet.cloud	192.168.1.10	→ NPM → Uptime Kuma
pulse.shdwnet.cloud	192.168.1.10	→ NPM → Uptime Kuma (alias)
paperless.shdwnet.cloud	192.168.1.10	→ NPM → Paperless-ngx
portainer.shdwnet.cloud	192.168.1.10	→ NPM → Portainer
netdata.shdwnet.cloud	192.168.1.10	→ NPM → VPS:19998
proxmox.shdwnet.cloud	192.168.1.144	Direct (internal only)

Active shdwnet.cloud Subdomains (NPM)

Subdomain	Target	Service	SSL
notes.shdwnet.cloud	pop-os:3030	Quartz notes	✅
plex.shdwnet.cloud	pop-os:32400	Plex	✅
paperless.shdwnet.cloud	pop-os:8000	Paperless-ngx	✅
vault.shdwnet.cloud	docker1:443	Vaultwarden	✅
uptime.shdwnet.cloud	docker1:3001	Uptime Kuma	✅
pulse.shdwnet.cloud	docker1:3001	Uptime Kuma (alias)	✅
portainer.shdwnet.cloud	docker1:9443	Portainer	✅
netdata.shdwnet.cloud	VPS:19998	Netdata monitoring	✅

---

🏗️ Architecture

Internet
    │
    ├── shdwnet.org (Cloudflare → VPS) ✅ LIVE
    │    └── The Signal from SOTCD (SHDWNET Dashboard)
    │
    ├── shdwnet.cloud (Cloudflare → NPM) ✅ LIVE
    │    ├── notes.shdwnet.cloud → pop-os:3030 (Quartz)
    │    ├── plex.shdwnet.cloud → pop-os:32400
    │    ├── paperless.shdwnet.cloud → pop-os:8000
    │    ├── vault.shdwnet.cloud → docker1:443
    │    ├── uptime/pulse.shdwnet.cloud → docker1:3001
    │    ├── portainer.shdwnet.cloud → docker1:9443
    │    └── netdata.shdwnet.cloud → VPS:19998
    │    ├── uptime.shdwnet.cloud → docker1:uptime
    │    └── paperless.shdwnet.cloud → pop-os:8000
    │
    └── Router / Gateway (192.168.1.1)
         │
         ├── NPM Reverse Proxy (.10)
         │    └── *.shdwnet.cloud → internal services
         │
         ├── WireGuard VPN (.60:51821/UDP)
         │
         ├── Pi-hole DNS (.50)
         │
         ├── docker1 (.20)
         │    ├── Portainer
         │    ├── Uptime Kuma
         │    └── Vaultwarden
         │
         ├── Proxmox Hypervisor (.144)
         │    ├── LXC: NPM (.10)
         │    ├── LXC: Pi-hole (.50)
         │    ├── LXC: WireGuard (.60)
         │    ├── LXC: docker1 (.20)
         │    └── LXC: clawdbot (.16) [legacy]
         │
         ├── Pop!_OS Workstation (.156)
         │    ├── Docker: Plex, Paperless, Stirling
         │    ├── Ollama (localhost)
         │    └── NordVPN (NordLynx)
         │
         └── ShadowMaster Windows (.214)
              └── SuperCollider / SOTCD Stream

---

🔧 SSH Access Quick Reference

# Proxmox hosts (key: github_ed25519)
ssh -i ~/.ssh/github_ed25519 root@192.168.1.16   # clawdbot
ssh -i ~/.ssh/github_ed25519 root@192.168.1.10   # npm (if configured)
 
# docker1
ssh root@192.168.1.20
 
# ShadowMaster (Windows)
ssh -i ~/.ssh/id_ed25519 shdwadmin@192.168.1.214

---

📝 Notes

• NordVPN + LAN Issue: NordVPN routing conflicts with local Docker/DNS. Keep routing disabled or configure split tunneling.
• clawdbot (.16): Legacy container, old SOTCD configs at /root/.moltbot/ and /root/clawd/
• WireGuard custom port: Using 51821 instead of 51820 to avoid conflicts

---

Related

• Proxmox Setup
• Split-Horizon DNS Guide ← NEW: LAN domain setup
• Pi-hole DNS
• WireGuard VPN
• Nginx Proxy Manager